Conditional Access seems to works without ingesting IgnoreNoRevocationCheck on RRAS Or NPS.
As per the below article, implemented condition access in our environment as an additional layer of security before connecting to AOVPN.
Here is an overview about our environment.
8 - RRAS --> Radius Authentication (2 NPS)
Clients - Windows 10 20H2
Devices are managed using Intune and client authentication (user certificate) from our PKI via NDES.
Below are the included/excluded steps during the implementation.
Due to security recommendation, skipped Step 7.1 (ignoring certification revocation on RRAS and NPS).
Skipped adding the below XML as well from Step 7.5 Procedure 3
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"><EKUMapping><EKUMap><EKUName>AAD Conditional Access</EKUName><EKUOID>220.127.116.11.4.1.311.87</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled="true"><EKUMapInList><EKUName>AAD Conditional Access</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions>
Added "IgnoreNoRevocationCheck" under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 & 25" on our managed clients
Steps (7.2 - 7.4) implemented with no difference to the above article.
Result: it is working after following the above steps but it would be much appreciated to know what could be a potential impact by ignoring revocation check from clients end. (1 possible known would be, the clients would fail to do CRL check). what are other security risks involved.